Last week’s $320m Wormhole hack raises serious questions about contagion risks between crypto and the broader financial markets.
$320m of disappearing ether
On February 2, an attacker exploited faulty code in a software protocol called Wormhole to steal 120,000 ether tokens (worth around $320m).
According to the Block, the hack was the largest successful exploit in the decentralised finance (DeFi) market to date.
The next day Jump Crypto, the cryptocurrency unit of electronic market maker Jump Trading, said it had covered the loss “to make community members whole and support Wormhole now as it continues to develop”.
Jump was the effective owner of Wormhole: in August last year it bought Certus One, a blockchain infrastructure provider and the developer of the DeFi protocol.
Settlement on cryptocurrency blockchains
The Wormhole hack highlighted the anarchic settlement procedures that have developed in cryptocurrency, and in particular those used to move value from one blockchain to another.
In the original cryptocurrency, bitcoin, settlement is a probabilistic process, rather than something that becomes completely final at a point in time (as in conventional financial market settlement systems).
This is because bitcoin uses a so-called ‘proof-of-work’ consensus mechanism and the passing of time makes it progressively harder to rewrite the cryptocurrency’s transaction history.
Market convention is that six bitcoin blocks (or about an hour) need to occur before a settlement is considered irreversible.
Similarly, in ethereum, the second-largest cryptocurrency, market participants also assume that six blocks need to occur for settlement to be final.
As ethereum blocks are minted every ten seconds (compared with bitcoin’s ten minutes), this settlement process takes about a minute.
DeFi drives demand for cheaper settlement
During the last year, the rising popularity of decentralised finance (DeFi)—automated protocols for lending, trading and investing—has led to increasing congestion in the ethereum network, which has been closely associated with DeFi.
This is because ethereum supports automated contracts with pre-defined protocols, often referred to as ‘smart contracts’.
Ethereum’s growing network congestion can be seen in its monthly transaction fees, which rose more than tenfold in the second half of 2021, from $166m in June to $1.822bn in November, according to data firm CryptoCompare.
The average ethereum transaction fee also rose by a factor of more than ten, said the firm, from $4.73 in June to $48.33 in November.
This cost pressure has led to an intensifying search for alternatives to ethereum as the underlying settlement network for DeFi.
Blockchains such as Solana, Polkadot and Cardano were specifically developed to support DeFi smart contracts while offering higher transaction throughput and lower settlement times.
In January, a Bank of America analyst said Solana could soon rival the Visa network as a result of its high speed, low cost and scalability.
By comparison with bitcoin and ethereum, Solana uses a different consensus mechanism, called ‘proof-of-stake’, to process transactions: the Solana blockchain relies on a group of over a thousand ‘validators’ for this purpose.
Solana says it offers close-to-instantaneous (0.4 second) settlement and fees of around two hundredths of a US cent per transaction.
Software bridges to transfer value
The rise of competing DeFi blockchains soon led to demands for software ‘bridges’ to transfer value between protocols.
Wormhole, one of these bridges, advertised itself as “facilitating transfers of any kind of information from one chain to another”.
“Wormhole is a communication bridge between Solana and other top decentralized finance (DeFi) networks,” the Solana foundation’s website says.
“Existing projects, platforms, and communities are able to move tokenized assets seamlessly across blockchains and benefit from Solana’s high speed and low cost,” it goes on.
Bridges rely on the use of ‘wrapped’ cryptocurrency tokens to immobilise value on one blockchain and issue an equivalent amount of value on another blockchain.
This process is handled automatically by means of smart contracts: for example, wrapped ether can be issued by locking the original asset on its own blockchain (ethereum) and simultaneously minting the wrapped version on Solana.
However, design flaws in the ethereum-Solana bridging process enabled the Wormhole hack.
According to internet security researchers, the hacker was apparently able to spoof signatures to mint 120,000 wrapped ether tokens on Solana without first having immobilised the equivalent amount of ether tokens on the ethereum network.
The hacker then reversed the fictitious trade and was able to withdraw the ether.
Although cryptocurrency markets have recovered since the hack—Solana tokens rose over 30 percent in the four days following the announcement of the Wormhole bailout—the incident raises broader questions about the safety of cryptocurrency transactions and the potential knock-on effects to traditional financial markets.
In December, the Bank for International Settlements (BIS) warned of rising contagion risks from DeFi to the rest of the financial system.
Hossein Nabilou, assistant professor of law at the University of Amsterdam and the author of a new paper on settlement in cryptocurrency, echoed these concerns.
“The probabilistic finality [of settlement] in proof-of-work blockchains may give rise to serious systemic concerns in case of potential interconnectedness of conventional payment and settlement systems with DeFi,” said Nabilou.
He cited the lack of a supporting legal regime for cryptocurrency settlement as a major concern, before sounding a warning about the lack of preparedness of financial supervisors to deal with a DeFi blow-up.
“At the moment, it is not clear if the cryptocurrencies become large enough, whether regulators or even central banks would be able to readily deal with such risks,” Nabilou said.
Sign up here for the New Money Review newsletter
Click here for a full list of episodes of the New Money Review podcast: the future of money in 30 minutes
Related content from New Money Review
Unstable DeFi could trigger wider crash
Hedge fund/crypto cocktail could be lethal